[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108092776A - A kind of authentication server and authentication token - Google Patents

A kind of authentication server and authentication token Download PDF

Info

Publication number
CN108092776A
CN108092776A CN201711261470.3A CN201711261470A CN108092776A CN 108092776 A CN108092776 A CN 108092776A CN 201711261470 A CN201711261470 A CN 201711261470A CN 108092776 A CN108092776 A CN 108092776A
Authority
CN
China
Prior art keywords
token
authentication
key
modules
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711261470.3A
Other languages
Chinese (zh)
Other versions
CN108092776B (en
Inventor
徐睿
赵希超
游佳
刘坤
马锋
张子谦
杨华飞
杨卫东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nari Information and Communication Technology Co
Original Assignee
Nari Information and Communication Technology Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nari Information and Communication Technology Co filed Critical Nari Information and Communication Technology Co
Priority to CN201711261470.3A priority Critical patent/CN108092776B/en
Publication of CN108092776A publication Critical patent/CN108092776A/en
Application granted granted Critical
Publication of CN108092776B publication Critical patent/CN108092776B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3278Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a kind of authentication server and authentication token, it is characterized in that, authentication server, the standard FIDO servers including interconnection and the memory space for storing key, i.e. database;Authentication token, the PUF module, TRNG module, USB module, interactive module and the touch modules that with interactive module are connected that including U2F module, with U2F module are respectively connected with unclonable with FIDO U2F agreements based on physics;Identity token is interacted with client browser, and client browser interacts again with the FIDO servers in authentication server.The present invention be combined using physics unclonable function with FIDO, with physics unclonable function guarantee token uniqueness, non-reproduction, with FIDO guarantee user identity accuracy and operated can not tamper, non repudiation.

Description

A kind of authentication server and authentication token
Technical field
The invention belongs to authentication security technology areas, and in particular to a kind of authentication server and authentication order Board.
Background technology
With the continuous development of global energy internet, all kinds of business between enterprises and enterprise more and more according to It is unfolded by information system and the network platform.This new situations provide management, financial management, production management, business administration etc. for people The resource management scheme of electric power enterprise proposes increasingly higher demands.Core business in information system for power enterprise, such as people The human resources that talent introduction in money business is related to are employed, linked between the enterprise of Key Personnel, crucial industry in financial management Financial transaction business of the business in enterprise, between enterprise, the emphasis transaction of related service class and goods and materials class in production management, The distribution of key task, emphasis special fund between enterprises, enterprise is all paying close attention to a little for enterprise with assigning, objective On need by certain means ensure related content can not tamper and non repudiation.
Ensure the core business of the effective control process enterprise of enterprise staff, and processing procedure is not tampered, non-repudiation, High-quality resource is monitored in legal range by easily information-based means in enterprise, between enterprise, and monitoring simultaneously from The influence of monitoring technology permission, the technological means as management corporate resources emphasis link become the key under energy internet and tell It asks.
FIDO (quick authentication on line) be FIDO alliances propose a set of opening, the expansible, standard that can cooperate with association View a, it is desirable to provide high security, cross-platform compatibility, splendid user experience and the online identity certification of privacy of user protection Technical Architecture, to change existing on-line authentication mode, dependence when reducing certification user to password.FIDO has two sets of specifications:U2F (factor Ⅱ agreement) and UAF.U2F is that increase by one is safer to be recognized on the basis of existing user name+cipher authentication It demonstrate,proves the factor and is used for login authentication.User can be as before by user name and password login service, and service can prompt user Show a factor Ⅱ equipment to be authenticated.U2F can use simple password (such as 4 digital PIN) without sacrificial Domestic animal security.
There is the possibility for being replicated, cloning by malicious attacker, lead in existing FIDO U2F identity tokens it is possible that being cracked Cause the great risk of identity authorization system security.In order to ensure the non-reproduction of identity token, new technology need to be introduced. PUF (the unclonable technology of physics) is that a kind of hardware function for relying on chip features realizes circuit, has uniqueness and randomness, By extracting the technological parameter deviation necessarily introduced in chip manufacturing proces, pumping signal and the uncertain sound generated are realized The unique corresponding function performance of induction signal.PUF is integrated in FIDO U2F identity tokens and is one using its function is worth visiting The direction of rope.
On the other hand, the use of random number plays an important roll in identity authorization system.Incomplete random number can be led Cause attacker identity authentication protocol can be performed playback, interlock etc. attacks, security of system is caused great risk occur.For solution Certainly this problem, it should real random number generator is used in authentication token.
The content of the invention
To solve the deficiencies in the prior art, it is an object of the invention to provide a kind of authentication server and authentications Token solves the problems, such as that the token in authentication procedures is replicated, identity is falsely used, to ensure holder's relevant operation It can not tamper and non repudiation.
In order to realize above-mentioned target, the present invention adopts the following technical scheme that:A kind of authentication server and identity are recognized Token is demonstrate,proved, it is characterized in that, authentication server, standard FIDO servers including interconnection and for storing depositing for key Store up space, i.e. database;
Authentication token, it is unclonable with FIDO U2F agreements based on physics, distinguish including U2F modules, with U2F modules Connected PUF modules, TRNG modules, USB module, interactive module and the touch modules being connected with interactive module;
U2F modules are used to implement Encryption Algorithm, human-computer interaction and extraneous communication;
PUF modules are physics unclonable function module, for generating root key, with U2F modules in a manner of challenge response Communication;
TRNG modules are real random number generator;
USB module is used to communicate in the form of human interface device with PC ends, is transmitted across for that will receive PC ends The data come are transmitted to U2F modules and the data after U2F resume modules are transmitted to PC ends;
Touch modules are touch sensible module, including a touch sensible module and a LED light, touch sensible module and LED light is connected respectively with interactive module, registration or during certification, and LED light flash for prompting user touches, user's hand by touching module, Confirmed, prevent non-active operation and user misoperation;
Interactive module is human-machine interactive information processing module, is connected with touch sensible module, drives touch sensible module And receive user and U2F modules are transferred to the operation information of touch modules, it is connected with LED light, for driving LED light;
Identity token is interacted with client browser, client browser again with the FIDO in authentication server Server interacts.
A kind of foregoing authentication server and authentication token, it is characterized in that, the authentication token is tested Card process is realized by digital signature, is directed to following key:
1. the token private key of authentication token and token certificate, for verifying whether identity token is legal;Token private key It is pre-loaded into certificate in identity token U2F module databases, FIDO servers is sent the certificate to by token in registration;
2. the root key of authentication token, for generating encrypted key handles;Before using root key every time, U2F moulds Block and PUF modules will perform challenge-response agreement, and after agreement correctly performs, it is close that U2F modules just receive the root that PUF modules are sent Key value;
3. public and private key pair used in signature, these keys are generated in authentication token, used in generating process Physics unclonable function, real random number generator module.
A kind of foregoing authentication server and authentication token, it is characterized in that, the authentication server base It is built in FIDO agreements, and extra storage token certificate, public signature key, handle on the standard FIDO servers, Neng Gou The reply data for generating challenge data after receiving certification or registration request and being returned to token carries out verification and returns to verification result;Institute Token private key, token certificate, root key is stated to be stored in authentication token.
A kind of foregoing authentication server and authentication token, it is characterized in that, the authentication token is hard Part equipment, is not directly connected on network, is interacted by client browser with FIDO servers.
A kind of foregoing authentication server and authentication token, it is characterized in that, the authentication token is supported Two kinds of operations:Registration, certification;User calls register method when using for the first time, afterwards using calling authentication method;Wherein register Public signature key and private key pair are established in operation in authentication token, and in the identity and public affairs of FIDO server registration users Key and handle, for subsequent authentication operation;Token needs to prove oneself to hold to FIDO servers legal in authentication operation Private key.
A kind of foregoing authentication server and authentication token, it is characterized in that, the register method includes step:
(1) when user is when client browser requests are registered, in client browser input registered user's name, it is sent to FIDO servers, FIDO servers generate a random number A, and random number A is sent to Client browse together with user name Device can be effectively prevented Replay Attack using random number;
(2) client browser inspection is connected with the TLS of FIDO servers, determines it is visitor after legal FIDO servers Family end generation registration challenge parameter list the session that TLS connection data TLSData, client browser generate at random with Machine parameter SessionRandomValue, random number A, user name }, client further carries out Hash to FIDO servers URL Computing obtains URL cryptographic Hash;
(3) client browser will register challenge parameter list and URL cryptographic Hash by being connected with USB interface of computer Authentication token USB interface, be sent to U2F modules through USB module;
(4) the U2F module call number signature key generating algorithms of authentication token generate a pair of of signature public and private key It is right;Public signature key and signature private key are using client login sessions information and random number A as parameter, pass through key schedule Calculate, wherein login sessions information include FIDO servers URL, user name, TLSData, SessionRandomValue;
(5) U2F modules call PUF modules to generate the root key of oneself by challenge response agreement, and using root key to add Key, signature private key and FIDO server URL cryptographic Hash call symmetric encipherment algorithm, key are generated after encryption as in plain text Handle;Root key length is 128 bits;
(6) the U2F module call number signature algorithms of authentication token, using the signature private key of oneself as key, to row Table { key handles, public signature key, registration challenge parameter list } is signed, and generates signature value;
(7) U2F modules are through USB module, by USB interface by key handles, public signature key, registration challenge parameter list, Signature value, token certificate are sent to client browser, and client browser sends it to FIDO servers again;
(8) FIDO servers extract token certificate from the message received, first verify that the legitimacy of token certificate;Such as Fruit is legal, then extracts token public key in token certificate, and calls sign test algorithm, using the token public key, verifies the legal of signature Property;FIDO server storages " user name, public signature key, the key handles " if legal, and client browser is notified to register Success;Otherwise client registers failure is notified.
A kind of foregoing authentication server and authentication token, it is characterized in that, in the step (4), (5), (6) Key schedule, symmetric encipherment algorithm, hash algorithm and digital signature there are two types of pattern, one is national secret algorithm, including SM2, SM3, SM4 algorithm;Two include RSA, ECDSA, SHA256, AES for standard FIDO algorithms, and algorithm is built in U2F modules.
A kind of foregoing authentication server and authentication token, it is characterized in that, the authentication method includes step:
(1) after FIDO servers receive user authentication request, the login key sentence of the user is found in searching data storehouse Handle, while server generates a random number B, and random number B is sent jointly into client together with login key handle;
(2) client browser inspection is connected with the TLS of server, determines it is acquisition TLS connections after legal server Data TLSData, and Hash operation is performed to list { FIDO server URL, random number B, TLSData }, obtain Hash operation As a result, as authentication challenge value;Client further carries out Hash operation to FIDO servers URL, obtains the Hash of URL Value;
(3) client browser by authentication challenge value, URL cryptographic Hash, login key handle by USB interface, through USB moulds Block is sent to the U2F modules of authentication token;
(4) after the LED light of touch modules lights on authentication token, user is by touching the touch sensible mould by bright light Group carries out physics confirmation, and interactive module can will confirm that information is transferred to U2F modules after receiving touch and confirming;
(5) the authentication signature counter of U2F modules adds 1, so does the number that can be recorded and perform authentication operation;
(6) U2F modules call PUF modules to generate the root key of oneself with challenge response agreement, use root key calling pair Claim Encryption Algorithm, key handles are decrypted, obtain URL cryptographic Hash and signature private key;
(7) the URL cryptographic Hash and step (3) client hair that the U2F module verifications decryption handle of authentication token obtains Whether the URL cryptographic Hash come is consistent, and execution is interrupted if inconsistent, and authentification failure performs next step if consistent;
(8) U2F modules call TRNG real random number generators to generate local random number C;
(9) signature private key that U2F modules are obtained using step (6) decryption handle, call number signature algorithm is to { certification is chosen War value, authentication signature Counter Value, local random value C } it is digitally signed to obtain authentication signature value;
(10) the U2F modules of authentication token by authentication challenge value, authentication signature value, authentication signature Counter Value, this Ground random value C is sent to client browser, and FIDO servers are transmitted to by client browser;FIDO whois lookup users Public signature key;And sign test algorithm is called using the public signature key, verify the legitimacy of signature;User identity is recognized if legal It demonstrate,proves successfully;Otherwise client certificate failure is notified.
A kind of foregoing authentication server and authentication token, it is characterized in that, the step (6), (2), (9) are right Claiming Encryption Algorithm, hash algorithm and digital signature, one is national secret algorithm, including SM2, SM3, SM4 algorithm there are two types of pattern;Two are Standard FIDO algorithms, including RSA, ECDSA, SHA256, AES, algorithm is built in U2F modules.
The advantageous effect that the present invention is reached:
It is combined using physics unclonable function with FIDO, ensures the uniqueness of token with physics unclonable function, Non-reproduction, with FIDO ensure user identity accuracy and operated can not tamper, non repudiation;
It is verified by factor Ⅱ and solves the hidden danger such as password leakage existing for Conventional account number password authentification;
Ensure the scalability and universality of token by U2F agreements, realize multisystem unified identity authentication;
Ensure the nonclonability of token by physics unclonable function;
Ensure randomness, the non-repeated of user authentication process challenge response mechanism by true random number transmitter.
Description of the drawings
Fig. 1 is the structure diagram of authentication server of the present invention;
Fig. 2 is the structure diagram of authentication token of the present invention;
Fig. 3 is signature secret key product process figure.
Specific embodiment
The invention will be further described below in conjunction with the accompanying drawings.Following embodiment is only used for clearly illustrating the present invention Technical solution, and be not intended to limit the protection scope of the present invention and limit the scope of the invention.
As shown in Figure 1, a kind of authentication server, standard FIDO servers including interconnection and close for storing The memory space of key, i.e. database.
It is unclonable with FIDO U2F agreements based on physics as shown in Fig. 2, a kind of authentication token, including U2F moulds It block, the PUF modules that are respectively connected with U2F modules, TRNG modules, USB module, interactive module and is connected with interactive module Touch modules, LED light;
U2F functions of modules mainly realizes Encryption Algorithm, human-computer interaction and extraneous communication etc..There is storage sky in U2F modules Between, enciphering and deciphering algorithm, certification counter.U2F modules by taking national certification Z8D256U-2 as an example, but not limited to this;
PUF modules are physics unclonable function module, have been internally integrated physics unclonable function, can receive A uncertain response is exported using the random difference of its internal physical construction after excitation, it can not come ensure identity token It is Clonal.For generating root key, communicated with U2F modules in a manner of challenge response.PUF modules include one piece of PUF chip, with Exemplified by Intrinsic ID companies Quiddikey-filex-e chips, but not limited to this;
TRNG modules are real random number generator, realize random number using physical method, can not guess its generation Random number outcome, the process that generates never has periodically, to ensure the independence that operates every time.TRNG modules include one piece TRNG chips, by taking 31 chips of Quantis AIS of ID Quantique companies as an example, but not limited to this;
The function of USB module is to be set with PC ends with USB-HID (Human Interface Device, human interface device) Standby form communicates, and the data for reception PC ends to be sended over are transmitted to U2F modules and will be after U2F resume modules Data be transmitted to PC ends;
Touch modules are touch sensible module, including a touch sensible module and a LED light, touch sensible module and LED light is connected respectively with interactive module, registration or during certification, and LED light flash for prompting user touches, user's hand by touching module, Confirmed, prevent non-active operation and user misoperation;
Interactive module is human-machine interactive information processing module, is connected with touch sensible module, drives touch sensible module And receive user and U2F modules are transferred to the operation information of touch modules, it is connected with LED light, for driving LED light.
Identity token is interacted with client browser, client browser again with the FIDO in authentication server Server interacts.
The authentication process itself of this token is realized by digital signature, is directed to following key:
1. the token private key and certificate of authentication token, for verifying whether identity token is legal;Token private key and card Book is pre-loaded into identity token U2F module databases, and FIDO servers are sent the certificate to by token in registration;
2. the root key of authentication token, for generating encrypted key handles.The reading of root key needs PUF modules Participation.PUF is not integrated on the master chip of U2F modules, but is existed in a manner of individual chips, in order to ensure root key Correctness, every time using before root key, U2F master chips and PUF chips will perform challenge-response agreement, after agreement correctly performs, Master chip just receives the root key value that PUF chips are sent;
3. public and private key pair used in signature.These keys generate in authentication token, are used in generating process The modules such as physics unclonable function, real random number generator effectively ensure the high security of key.
Key product process is as shown in Figure 3.
Table 1 is storage condition of the key in the U2F modules and FIDO servers of authentication token.
1 key storage situation table of table
This authentication server is built based on FIDO agreements, and the extra storage token on the standard FIDO servers Certificate, public signature key, handle.It can generate challenge data and the response returned to token after certification or registration request is received Data carry out verification and return to verification result.
This identity token is dedicated hardware device, is not directly connected on network, but passes through client browser It is interacted with FIDO servers.
Token supports two kinds of operations:Registration, certification.User will call register method when using for the first time, and using afterwards will Call authentication method.Wherein registration operation will establish public signature key and private key pair in authentication token, and in FIDO The identity and public key and handle of server registration user, for subsequent authentication operation;Token is needed to FIDO in authentication operation Server proves oneself to hold legal private key.
It is a kind of according to above-mentioned authentication server and the register method of authentication token, including step:
(1) when user is when client browser requests are registered, in client browser input registered user's name, it is sent to FIDO servers, FIDO servers generate a random number A, and random number A is sent to Client browse together with user name Device can be effectively prevented Replay Attack using random number;
(2) client browser examines TLS (safe transmission layer protocol) connections with FIDO servers, determines it is legal After FIDO servers, client generation registration challenge parameter list { TLS connection data (hereinafter referred to as TLSData), Client browse Session random parameter (hereinafter referred to as SessionRandomValue), random number A, the user name that device generates at random }, client Hash operation further is carried out to FIDO servers URL, obtains URL cryptographic Hash;
(3) client browser will register challenge parameter list and URL cryptographic Hash by being connected with USB interface of computer Authentication token USB interface, be sent to U2F modules through USB module;
(4) the U2F module call number signature key generating algorithms of authentication token generate a pair of of signature public and private key It is right;Public signature key and signature private key are using client login sessions information and random number A as parameter, pass through key schedule Calculate, wherein login sessions information include FIDO servers URL, user name, TLSData, SessionRandomValue。
(5) U2F modules call PUF modules to generate the root key of oneself by challenge response agreement, and using root key to add Key, signature private key and FIDO server URL cryptographic Hash call symmetric encipherment algorithm, key are generated after encryption as in plain text Handle;Root key length is 128 bits;
(6) the U2F module call number signature algorithms of authentication token, using the signature private key of oneself as key, to row Table { key handles, public signature key, registration challenge parameter list } is signed, and generates signature value;
(7) U2F modules are through USB module, by USB interface by key handles, public signature key, registration challenge parameter list, Signature value, token certificate are sent to client browser, and client browser sends it to FIDO servers again;
(8) FIDO servers extract token certificate from the message received, first verify that the legitimacy of token certificate;Such as Fruit is legal, then extracts token public key in token certificate, and calls sign test algorithm, using the token public key, verifies the legal of signature Property;FIDO server storages " user name, public signature key, the key handles " if legal, and client browser is notified to register Success;Otherwise client registers failure is notified.
Register flow path terminates since then.
There are two types of moulds for step (4), (5), (6) key schedule, symmetric encipherment algorithm, hash algorithm and digital signature Formula, one is national secret algorithm (SM2, SM3, SM4 algorithm);Two be standard FIDO algorithms (RSA, ECDSA, SHA256, AES), algorithm It is built in U2F modules.
A kind of authentication method according to above-mentioned authentication server and authentication token, including step:
(1) after FIDO servers receive user authentication request, the login key sentence of the user is found in searching data storehouse Handle, while server generates a random number B, and random number B is sent jointly into client together with login key handle;
(2) client browser inspection is connected with the TLS of server, determines it is acquisition TLS connections after legal server Data (hereinafter referred to as TLSData), and Hash operation is performed to list { FIDO server URL, random number B, TLSData }, it obtains Hash operation as a result, as authentication challenge value;Client further carries out Hash operation to FIDO servers URL, obtains URL Cryptographic Hash;
(3) client browser by authentication challenge value, URL cryptographic Hash, login key handle by USB interface, through USB moulds Block is sent to the U2F modules of authentication token;
(4) after the LED light of touch modules lights on authentication token, user is by touching the touch sensible mould by bright light Group carries out physics confirmation, and interactive module can will confirm that information is transferred to U2F modules after receiving touch and confirming;
(5) the authentication signature counter of U2F modules adds 1, so does the number that can be recorded and perform authentication operation;
(6) U2F modules call PUF modules to generate the root key of oneself with challenge response agreement, use root key calling pair Claim Encryption Algorithm, key handles are decrypted, obtain URL cryptographic Hash and signature private key;
(7) the URL cryptographic Hash and step (3) client hair that the U2F module verifications decryption handle of authentication token obtains Whether the URL cryptographic Hash come is consistent, and execution is interrupted if inconsistent, and authentification failure performs next step if consistent;
(8) U2F modules call TRNG real random number generators to generate local random number C;
(9) signature private key that U2F modules are obtained using step (6) decryption handle, call number signature algorithm is to { certification is chosen War value, authentication signature Counter Value, local random value C } it is digitally signed to obtain authentication signature value;
(10) the U2F modules of authentication token by authentication challenge value, authentication signature value, authentication signature Counter Value, this Ground random value C is sent to client browser, and FIDO servers are transmitted to by client browser;FIDO whois lookup users Public signature key;And sign test algorithm is called using the public signature key, verify the legitimacy of signature.User identity is recognized if legal It demonstrate,proves successfully;Otherwise client certificate failure is notified.
There are two types of pattern, one is national secret algorithm for step (6), (2), (9) symmetric encipherment algorithm, hash algorithm and digital signature (SM2, SM3, SM4 algorithm);Two be standard FIDO algorithms (RSA, ECDSA, SHA256, AES).Algorithm is built in U2F modules.
The present invention is combined using physics unclonable function with FIDO, ensures token only with physics unclonable function One property, non-reproduction, with FIDO ensure user identity accuracy and operated can not tamper, non-repudiation Property;It is verified by factor Ⅱ and solves the hidden danger such as password leakage existing for Conventional account number password authentification;Ensure to make by U2F agreements The scalability and universality of board realize multisystem unified identity authentication;Token is ensured not by physics unclonable function It can be Clonal;Ensure randomness, the non-repeated of user authentication process challenge response mechanism by true random number transmitter.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, several improvement and deformation can also be made, these are improved and deformation Also it should be regarded as protection scope of the present invention.

Claims (9)

1. a kind of authentication server and authentication token, it is characterized in that, authentication server, including interconnection Standard FIDO servers and the memory space for storing key, i.e. database;
Authentication token, it is unclonable with FIDO U2F agreements based on physics, it is respectively connected with including U2F modules, with U2F modules PUF modules, TRNG modules, USB module, interactive module and the touch modules being connected with interactive module;
U2F modules are used to implement Encryption Algorithm, human-computer interaction and extraneous communication;
PUF modules are physics unclonable function module, for generating root key, are communicated with U2F modules in a manner of challenge response;
TRNG modules are real random number generator;
USB module is used to communicate in the form of human interface device with PC ends, for that will receive what PC ends sended over Data are transmitted to U2F modules and the data after U2F resume modules are transmitted to PC ends;
Touch modules are touch sensible module, including a touch sensible module and a LED light, touch sensible module and LED Lamp is connected respectively with interactive module, registration or during certification, and LED light flash for prompting user touches, and user's hand is carried out by module is touched Confirm, prevent non-active operation and user misoperation;
Interactive module be human-machine interactive information processing module, be connected with touch sensible module, drive touch sensible module and Receive user and U2F modules are transferred to the operation information of touch modules, be connected with LED light, for driving LED light;
Identity token is interacted with client browser, and client browser services again with the FIDO in authentication server Device interacts.
2. a kind of authentication server according to claim 1 and authentication token, it is characterized in that, the identity is recognized The verification process of card token is realized by digital signature, is directed to following key:
1. the token private key of authentication token and token certificate, for verifying whether identity token is legal;Token private key and card Book is pre-loaded into identity token U2F module databases, and FIDO servers are sent the certificate to by token in registration;
2. the root key of authentication token, for generating encrypted key handles;Every time using before root key, U2F modules and PUF modules will perform challenge-response agreement, and after agreement correctly performs, U2F modules just receive the root key value that PUF modules are sent;
3. public and private key pair used in signature, these keys generate in authentication token, physics is used in generating process Unclonable function, real random number generator module.
3. a kind of authentication server according to claim 2 and authentication token, it is characterized in that, the identity is recognized Card server is built based on FIDO agreements, and extra storage token certificate, public signature key, sentence on the standard FIDO servers Handle, the reply data that challenge data can be generated after certification or registration request is received and is returned to token carry out verification return and test Demonstrate,prove result;The token private key, token certificate, root key are stored in authentication token.
4. a kind of authentication server according to claim 1 and authentication token, it is characterized in that, the identity is recognized It is hardware device to demonstrate,prove token, is not directly connected on network, is interacted by client browser with FIDO servers.
5. a kind of authentication server according to claim 1 and authentication token, it is characterized in that, the identity is recognized It demonstrate,proves token and supports two kinds of operations:Registration, certification;User calls register method when using for the first time, afterwards using calling authenticating party Method;Wherein public signature key and private key pair are established in registration operation in authentication token, and are used in FIDO server registrations The identity and public key and handle at family, for subsequent authentication operation;Token needs to prove certainly to FIDO servers in authentication operation Oneself holds legal private key.
6. a kind of authentication server according to claim 5 and authentication token, it is characterized in that, the registration side Method includes step:
(1) when user is when client browser requests are registered, in client browser input registered user's name, it is sent to FIDO Server, FIDO servers generate a random number A, and random number A is sent to client browser together with user name, make Replay Attack can be effectively prevented with random number;
(2) client browser inspection is connected with the TLS of FIDO servers, determines it is client after legal FIDO servers Generation registration challenge parameter list { join at random by the session that TLS connection data TLSData, client browser generate at random Number SessionRandomValue, random number A, user name }, client further carries out Hash operation to FIDO servers URL, Obtain URL cryptographic Hash;
(3) client browser passes through the body that is connected with USB interface of computer by challenge parameter list and URL cryptographic Hash is registered The USB interface of part authentication token, U2F modules are sent to through USB module;
(4) the U2F module call number signature key generating algorithms of authentication token generate a pair of of signature public and private key pair; Public signature key and signature private key are using client login sessions information and random number A as parameter, pass through key schedule meter It calculates, wherein login sessions information includes FIDO servers URL, user name, TLSData, SessionRandomValue;
(5) U2F modules call PUF modules to generate the root key of oneself by challenge response agreement, and close to encrypt using root key Key, signature private key and FIDO server URL cryptographic Hash call symmetric encipherment algorithm, key handles are generated after encryption as in plain text; Root key length is 128 bits;
(6) the U2F module call number signature algorithms of authentication token, it is { close to list using the signature private key of oneself as key Key handle, public signature key, registration challenge parameter list } it signs, generate signature value;
(7) key handles, public signature key, registration are challenged parameter list, signature by U2F modules through USB module by USB interface Value, token certificate are sent to client browser, and client browser sends it to FIDO servers again;
(8) FIDO servers extract token certificate from the message received, first verify that the legitimacy of token certificate;If it closes Method then extracts token public key in token certificate, and calls sign test algorithm, using the token public key, verifies the legitimacy of signature;Such as The legal then FIDO server storages of fruit " user name, public signature key, key handles ", and client browser is notified to succeed in registration; Otherwise client registers failure is notified.
7. a kind of authentication server according to claim 6 and authentication token, it is characterized in that, the step (4), there are two types of pattern, one is state for (5), the key schedule in (6), symmetric encipherment algorithm, hash algorithm and digital signature Close algorithm, including SM2, SM3, SM4 algorithm;Two include RSA, ECDSA, SHA256, AES for standard FIDO algorithms, built in algorithm In U2F modules.
8. a kind of authentication server according to claim 5 and authentication token, it is characterized in that, the authenticating party Method includes step:
(1) after FIDO servers receive user authentication request, the login key handle of the user is found, together in searching data storehouse When server generate a random number B, and random number B is sent jointly into client together with login key handle;
(2) client browser inspection is connected with the TLS of server, determines it is acquisition TLS connection data after legal server TLSData, and Hash operation is performed to list { FIDO server URL, random number B, TLSData }, obtain the knot of Hash operation Fruit, as authentication challenge value;Client further carries out Hash operation to FIDO servers URL, obtains the cryptographic Hash of URL;
(3) client browser by authentication challenge value, URL cryptographic Hash, login key handle by USB interface, through USB module, It is sent to the U2F modules of authentication token;
(4) after the LED light of touch modules lights on authentication token, user by touch the touch sensible module by bright light into Row physics confirms that interactive module can will confirm that information is transferred to U2F modules after receiving touch and confirming;
(5) the authentication signature counter of U2F modules adds 1, so does the number that can be recorded and perform authentication operation;
(6) U2F modules call PUF modules to generate the root key of oneself with challenge response agreement, and symmetrical add is called using root key Close algorithm, is decrypted key handles, obtains URL cryptographic Hash and signature private key;
(7) the URL cryptographic Hash and step (3) client that the U2F module verifications decryption handle of authentication token obtains are sent Whether URL cryptographic Hash is consistent, and execution is interrupted if inconsistent, and authentification failure performs next step if consistent;
(8) U2F modules call TRNG real random number generators to generate local random number C;
(9) signature private key that U2F modules are obtained using step (6) decryption handle, call number signature algorithm is to { authentication challenge Value, authentication signature Counter Value, local random value C } it is digitally signed to obtain authentication signature value;
(10) the U2F modules of authentication token by authentication challenge value, authentication signature value, authentication signature Counter Value, it is local with Machine value C is sent to client browser, and FIDO servers are transmitted to by client browser;The label of FIDO whois lookup users Name public key;And sign test algorithm is called using the public signature key, verify the legitimacy of signature;If legal authenticating user identification into Work(;Otherwise client certificate failure is notified.
9. a kind of authentication server according to claim 8 and authentication token, it is characterized in that, the step (6), there are two types of pattern, one is national secret algorithm for (2), (9) symmetric encipherment algorithm, hash algorithm and digital signature, including SM2, SM3, SM4 algorithm;Two be standard FIDO algorithms, and including RSA, ECDSA, SHA256, AES, algorithm is built in U2F modules.
CN201711261470.3A 2017-12-04 2017-12-04 System based on identity authentication server and identity authentication token Active CN108092776B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711261470.3A CN108092776B (en) 2017-12-04 2017-12-04 System based on identity authentication server and identity authentication token

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711261470.3A CN108092776B (en) 2017-12-04 2017-12-04 System based on identity authentication server and identity authentication token

Publications (2)

Publication Number Publication Date
CN108092776A true CN108092776A (en) 2018-05-29
CN108092776B CN108092776B (en) 2020-11-10

Family

ID=62172507

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711261470.3A Active CN108092776B (en) 2017-12-04 2017-12-04 System based on identity authentication server and identity authentication token

Country Status (1)

Country Link
CN (1) CN108092776B (en)

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108322468A (en) * 2018-02-02 2018-07-24 广州南洋理工职业学院 Identity authorization system
CN109040067A (en) * 2018-08-02 2018-12-18 广东工业大学 A kind of user authentication device and authentication method based on the unclonable technology PUF of physics
CN109088902A (en) * 2018-11-05 2018-12-25 江苏恒宝智能系统技术有限公司 Register method and device, authentication method and device
CN109194484A (en) * 2018-08-14 2019-01-11 中国科学院信息工程研究所 A kind of cross-domain transmission method of token based on shared key
CN109302286A (en) * 2018-10-26 2019-02-01 江苏恒宝智能系统技术有限公司 A kind of generation method of Fido device keys index
CN109756872A (en) * 2018-12-06 2019-05-14 国网山东省电力公司电力科学研究院 The end-to-end data processing method of power grid NB-IoT based on physics unclonable function
CN109784024A (en) * 2018-12-14 2019-05-21 航天信息股份有限公司 One kind authenticating FIDO method and system based on the polyfactorial quick online identity of more authenticators
CN109829276A (en) * 2018-12-17 2019-05-31 航天信息股份有限公司 A kind of electronic invoice Explore of Unified Management Ideas and system based on FIDO agreement authentication
CN110049002A (en) * 2019-03-01 2019-07-23 中国电子科技集团公司第三十研究所 A kind of ipsec certification method based on PUF
CN110138736A (en) * 2019-04-11 2019-08-16 泉州信息工程学院 Internet of things multiple dynamic random encryption identity authentication method, device and equipment
CN110191112A (en) * 2019-05-22 2019-08-30 北京百度网讯科技有限公司 Auth method, device, mobile unit and server
CN110211268A (en) * 2019-06-04 2019-09-06 北京一砂信息技术有限公司 A kind of client, server, system, method and the storage medium of timeliness random cipher unlock smart lock
CN110932858A (en) * 2018-09-19 2020-03-27 阿里巴巴集团控股有限公司 Authentication method and system
WO2020092351A1 (en) * 2018-10-29 2020-05-07 Login Id Inc. Decentralized computing systems for strong user authentication and related methods
EP3663946A1 (en) * 2018-12-06 2020-06-10 Fujitsu Limited Information processing apparatus, information processing method, and information processing program
JP2020095687A (en) * 2018-12-06 2020-06-18 富士通株式会社 Information processing device, information processing method, and information processing program
CN111447183A (en) * 2020-03-06 2020-07-24 支付宝(杭州)信息技术有限公司 Clone detection method and device
CN111585771A (en) * 2020-05-20 2020-08-25 浙江大学 Centralized authentication system of Internet of things equipment based on U2F physical token
WO2020183035A1 (en) * 2019-03-11 2020-09-17 Signe,S.A. Unclonable authentication method for device-based digital identity verification with physically unclonable function chips
CN111740846A (en) * 2020-08-04 2020-10-02 飞天诚信科技股份有限公司 Method and system for realizing smart card information reading of mobile terminal
CN112003705A (en) * 2020-08-12 2020-11-27 北京天融信网络安全技术有限公司 Identity authentication method and device based on zero-knowledge proof
CN112154638A (en) * 2019-04-29 2020-12-29 谷歌有限责任公司 System and method for distributed verification of online identity
CN112311558A (en) * 2020-12-28 2021-02-02 飞天诚信科技股份有限公司 Working method of key device and key device
CN112333214A (en) * 2021-01-06 2021-02-05 北京邮电大学 Safe user authentication method and system for Internet of things equipment management
CN112422643A (en) * 2020-11-02 2021-02-26 中关村科学城城市大脑股份有限公司 Third-party interface protection request forwarding method and device
CN112715017A (en) * 2018-06-29 2021-04-27 耐瑞唯信有限公司 Cryptographic key configuration using physically unclonable functions
CN113193964A (en) * 2021-05-08 2021-07-30 国民认证科技(北京)有限公司 Method and system for recognizing identity by combining gesture password with FIDO (fixed Internet data Access)
CN113221136A (en) * 2021-04-25 2021-08-06 亿海蓝(北京)数据技术股份公司 AIS data transmission method, device, electronic equipment and storage medium
CN113806798A (en) * 2021-08-13 2021-12-17 苏州浪潮智能科技有限公司 User side verification method, system, equipment and medium
CN114430324A (en) * 2022-01-02 2022-05-03 西安电子科技大学 On-line quick identity authentication method based on Hash chain
WO2022105462A1 (en) * 2020-11-17 2022-05-27 苏州浪潮智能科技有限公司 Database multi-authentication method and system, terminal, and storage medium
CN115694843A (en) * 2022-12-29 2023-02-03 浙江宇视科技有限公司 Camera access management method, system, device and medium for avoiding counterfeiting
CN116567633A (en) * 2023-07-10 2023-08-08 华侨大学 Identity authentication method, system and equipment based on ECDSA signature algorithm
CN116711008A (en) * 2021-01-12 2023-09-05 高通股份有限公司 Protected data flow between memories
CN116976891A (en) * 2023-07-21 2023-10-31 杭州易景数通科技有限公司 Financial data security management system, device and method thereof
CN117040767A (en) * 2023-10-10 2023-11-10 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Fine-grained multi-terminal identity authentication method based on PUF (physical unclonable function) and related equipment
US12113895B2 (en) 2020-12-11 2024-10-08 PUFsecurity Corporation Key management system providing secure management of cryptographic keys, and methods of operating the same

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013006785A2 (en) * 2011-07-07 2013-01-10 Meng-Day Yu Cryptographic security using fuzzy credentials for device and server communications
EP2991267A1 (en) * 2013-04-22 2016-03-02 ICTK Co. Ltd. Apparatus for providing puf-based hardware otp and method for authenticating 2-factor using same
CN106575324A (en) * 2014-04-09 2017-04-19 有限公司Ictk Authentication apparatus and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013006785A2 (en) * 2011-07-07 2013-01-10 Meng-Day Yu Cryptographic security using fuzzy credentials for device and server communications
EP2991267A1 (en) * 2013-04-22 2016-03-02 ICTK Co. Ltd. Apparatus for providing puf-based hardware otp and method for authenticating 2-factor using same
CN106575324A (en) * 2014-04-09 2017-04-19 有限公司Ictk Authentication apparatus and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
FIDO ALLIANCE: "FIDO-U2F-COMPLETE-v1.2-ps-20170411", 《HTTPS://FIDOALLIANCE.ORG/SPECS/FIDO-U2F-V1.2-PS-20170411》 *

Cited By (63)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108322468A (en) * 2018-02-02 2018-07-24 广州南洋理工职业学院 Identity authorization system
CN112715017B (en) * 2018-06-29 2024-04-12 纳格拉影像有限公司 Cryptographic key configuration using physically unclonable functions
CN112715017A (en) * 2018-06-29 2021-04-27 耐瑞唯信有限公司 Cryptographic key configuration using physically unclonable functions
CN109040067A (en) * 2018-08-02 2018-12-18 广东工业大学 A kind of user authentication device and authentication method based on the unclonable technology PUF of physics
CN109040067B (en) * 2018-08-02 2020-12-11 广东工业大学 Physical unclonable technology PUF-based user authentication device and authentication method
CN109194484A (en) * 2018-08-14 2019-01-11 中国科学院信息工程研究所 A kind of cross-domain transmission method of token based on shared key
CN110932858B (en) * 2018-09-19 2023-05-02 阿里巴巴集团控股有限公司 Authentication method and system
CN110932858A (en) * 2018-09-19 2020-03-27 阿里巴巴集团控股有限公司 Authentication method and system
CN109302286A (en) * 2018-10-26 2019-02-01 江苏恒宝智能系统技术有限公司 A kind of generation method of Fido device keys index
CN109302286B (en) * 2018-10-26 2021-03-16 江苏恒宝智能系统技术有限公司 Fido equipment key index generation method
WO2020092351A1 (en) * 2018-10-29 2020-05-07 Login Id Inc. Decentralized computing systems for strong user authentication and related methods
CN109088902B (en) * 2018-11-05 2019-10-25 江苏恒宝智能系统技术有限公司 Register method and device, authentication method and device
CN109088902A (en) * 2018-11-05 2018-12-25 江苏恒宝智能系统技术有限公司 Register method and device, authentication method and device
US11245700B2 (en) 2018-12-06 2022-02-08 Fujitsu Limited Information processing apparatus, information processing method, and recording medium recording information processing program
CN109756872B (en) * 2018-12-06 2021-08-31 国网山东省电力公司电力科学研究院 Power grid NB-IoT end-to-end data processing method based on physical unclonable function
EP3663946A1 (en) * 2018-12-06 2020-06-10 Fujitsu Limited Information processing apparatus, information processing method, and information processing program
JP2020095687A (en) * 2018-12-06 2020-06-18 富士通株式会社 Information processing device, information processing method, and information processing program
CN109756872A (en) * 2018-12-06 2019-05-14 国网山东省电力公司电力科学研究院 The end-to-end data processing method of power grid NB-IoT based on physics unclonable function
JP7269486B2 (en) 2018-12-06 2023-05-09 富士通株式会社 Information processing device, information processing method and information processing program
CN109784024A (en) * 2018-12-14 2019-05-21 航天信息股份有限公司 One kind authenticating FIDO method and system based on the polyfactorial quick online identity of more authenticators
CN109829276A (en) * 2018-12-17 2019-05-31 航天信息股份有限公司 A kind of electronic invoice Explore of Unified Management Ideas and system based on FIDO agreement authentication
CN110049002B (en) * 2019-03-01 2021-07-27 中国电子科技集团公司第三十研究所 IPSec authentication method based on PUF
CN110049002A (en) * 2019-03-01 2019-07-23 中国电子科技集团公司第三十研究所 A kind of ipsec certification method based on PUF
WO2020183035A1 (en) * 2019-03-11 2020-09-17 Signe,S.A. Unclonable authentication method for device-based digital identity verification with physically unclonable function chips
CN110138736A (en) * 2019-04-11 2019-08-16 泉州信息工程学院 Internet of things multiple dynamic random encryption identity authentication method, device and equipment
CN110138736B (en) * 2019-04-11 2022-05-13 泉州信息工程学院 Identity authentication method, device and equipment for multiple dynamic random encryption of Internet of things
CN112154638A (en) * 2019-04-29 2020-12-29 谷歌有限责任公司 System and method for distributed verification of online identity
US12101404B2 (en) 2019-04-29 2024-09-24 Google Llc Systems and methods for distributed verification of online identity
CN112154638B (en) * 2019-04-29 2022-06-14 谷歌有限责任公司 System and method for distributed verification of online identity
CN110191112A (en) * 2019-05-22 2019-08-30 北京百度网讯科技有限公司 Auth method, device, mobile unit and server
CN110211268A (en) * 2019-06-04 2019-09-06 北京一砂信息技术有限公司 A kind of client, server, system, method and the storage medium of timeliness random cipher unlock smart lock
CN111447183A (en) * 2020-03-06 2020-07-24 支付宝(杭州)信息技术有限公司 Clone detection method and device
CN111447183B (en) * 2020-03-06 2021-12-21 支付宝(杭州)信息技术有限公司 Clone detection method and device
CN111585771A (en) * 2020-05-20 2020-08-25 浙江大学 Centralized authentication system of Internet of things equipment based on U2F physical token
CN111585771B (en) * 2020-05-20 2021-07-06 浙江大学 Centralized authentication system of Internet of things equipment based on U2F physical token
CN111740846A (en) * 2020-08-04 2020-10-02 飞天诚信科技股份有限公司 Method and system for realizing smart card information reading of mobile terminal
CN112003705B (en) * 2020-08-12 2021-06-08 北京天融信网络安全技术有限公司 Identity authentication method and device based on zero-knowledge proof
CN112003705A (en) * 2020-08-12 2020-11-27 北京天融信网络安全技术有限公司 Identity authentication method and device based on zero-knowledge proof
CN112422643A (en) * 2020-11-02 2021-02-26 中关村科学城城市大脑股份有限公司 Third-party interface protection request forwarding method and device
US12074990B2 (en) 2020-11-17 2024-08-27 Inspur Suzhou Intelligent Technology Co., Ltd. Database multi-authentication method and system, terminal, and storage medium
WO2022105462A1 (en) * 2020-11-17 2022-05-27 苏州浪潮智能科技有限公司 Database multi-authentication method and system, terminal, and storage medium
US12113895B2 (en) 2020-12-11 2024-10-08 PUFsecurity Corporation Key management system providing secure management of cryptographic keys, and methods of operating the same
CN112311558B (en) * 2020-12-28 2021-04-06 飞天诚信科技股份有限公司 Working method of key device and key device
CN112311558A (en) * 2020-12-28 2021-02-02 飞天诚信科技股份有限公司 Working method of key device and key device
WO2022142456A1 (en) * 2020-12-28 2022-07-07 飞天诚信科技股份有限公司 Operating method for key device, and key device
CN112333214A (en) * 2021-01-06 2021-02-05 北京邮电大学 Safe user authentication method and system for Internet of things equipment management
CN112333214B (en) * 2021-01-06 2021-03-30 北京邮电大学 Safe user authentication method and system for Internet of things equipment management
CN116711008A (en) * 2021-01-12 2023-09-05 高通股份有限公司 Protected data flow between memories
CN113221136A (en) * 2021-04-25 2021-08-06 亿海蓝(北京)数据技术股份公司 AIS data transmission method, device, electronic equipment and storage medium
CN113221136B (en) * 2021-04-25 2024-04-12 亿海蓝(北京)数据技术股份公司 AIS data transmission method, AIS data transmission device, electronic equipment and storage medium
CN113193964A (en) * 2021-05-08 2021-07-30 国民认证科技(北京)有限公司 Method and system for recognizing identity by combining gesture password with FIDO (fixed Internet data Access)
CN113193964B (en) * 2021-05-08 2023-02-07 国民认证科技(北京)有限公司 Method and system for recognizing identity by combining gesture password with FIDO (fixed Internet data Access)
CN113806798B (en) * 2021-08-13 2023-07-14 苏州浪潮智能科技有限公司 User side verification method, system, equipment and medium
CN113806798A (en) * 2021-08-13 2021-12-17 苏州浪潮智能科技有限公司 User side verification method, system, equipment and medium
CN114430324B (en) * 2022-01-02 2023-07-28 西安电子科技大学 On-line rapid identity verification method based on hash chain
CN114430324A (en) * 2022-01-02 2022-05-03 西安电子科技大学 On-line quick identity authentication method based on Hash chain
CN115694843A (en) * 2022-12-29 2023-02-03 浙江宇视科技有限公司 Camera access management method, system, device and medium for avoiding counterfeiting
CN115694843B (en) * 2022-12-29 2023-04-07 浙江宇视科技有限公司 Camera access management method, system, device and medium for avoiding counterfeiting
CN116567633A (en) * 2023-07-10 2023-08-08 华侨大学 Identity authentication method, system and equipment based on ECDSA signature algorithm
CN116567633B (en) * 2023-07-10 2023-10-10 华侨大学 Identity authentication method, system and equipment based on ECDSA signature algorithm
CN116976891A (en) * 2023-07-21 2023-10-31 杭州易景数通科技有限公司 Financial data security management system, device and method thereof
CN117040767A (en) * 2023-10-10 2023-11-10 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Fine-grained multi-terminal identity authentication method based on PUF (physical unclonable function) and related equipment
CN117040767B (en) * 2023-10-10 2024-01-23 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Fine-grained multi-terminal identity authentication method based on PUF (physical unclonable function) and related equipment

Also Published As

Publication number Publication date
CN108092776B (en) 2020-11-10

Similar Documents

Publication Publication Date Title
CN108092776A (en) A kind of authentication server and authentication token
US9887989B2 (en) Protecting passwords and biometrics against back-end security breaches
CN102075522B (en) Secure certification and transaction method with combination of digital certificate and one-time password
US8112787B2 (en) System and method for securing a credential via user and server verification
US9231925B1 (en) Network authentication method for secure electronic transactions
CN103763631B (en) Authentication method, server and television set
CN109040067A (en) A kind of user authentication device and authentication method based on the unclonable technology PUF of physics
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
CN108965338B (en) Three-factor identity authentication and key agreement method under multi-server environment
CN109728909A (en) Identity identifying method and system based on USBKey
CN104917741B (en) A kind of plain text document public network secure transmission system based on USBKEY
TWI512524B (en) System and method for identifying users
CN107800675A (en) A kind of data transmission method, terminal and server
TW200952440A (en) Network helper for authentication between a token and verifiers
CN105656862B (en) Authentication method and device
CN103684798B (en) Authentication method used in distributed user service
CN112953970A (en) Identity authentication method and identity authentication system
CN104486087B (en) A kind of digital signature method based on remote hardware security module
CN107294725A (en) A kind of three factor authentication methods under environment of multi-server
WO2014141263A1 (en) Asymmetric otp authentication system
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
CN108323230A (en) A kind of method of transmission key receives terminal and distribution terminal
CN106789032A (en) The single password tripartite authentication method of privacy sharing between server and mobile device
CN114513339A (en) Security authentication method, system and device
KR20120037314A (en) Online credit card issue system and method using user identity authentication device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant